Akismet XSS Vulnerability
This entry was posted in WordPress Security on October 19, 2015 by Mark Maunder 6 Replies
A vulnerability in Akismet emerged last week and because Akismet is one of the most widely used plugins for WordPress, we wanted to bring it to your attention.
Akismet is a comment spam filter for WordPress and in general, it does a great job. The Akismet team announced on their blog last week that a cross site scripting (XSS) vulnerability had been discovered in all versions of Akismet since 2.5.0.
There is no evidence that the vulnerability has been exploited in the wild. The Akismet and WordPress teams immediately took the following actions:
- They released updates for all affected versions of Akismet.
- The WordPress.org team issued an automatic update of the Akismet plugin on affected sites. If you noticed that your WordPress site was automatically upgraded to the newest version of Akismet, that is why.
- The Akismet team modified their API so that if a hacker did try to exploit a vulnerable version of Akismet, their API would block the attack by filtering out the comment the hacker tried to post. What this means is that as soon as the vulnerability was discovered and the Akismet team made this change, even vulnerable versions of Akismet were no longer exploitable.
Kudos to the Akismet team for responding to this so rapidly and comprehensively. If you’re running Akismet, we recommend you sign into your WordPess site and make sure that Akismet has been updated to the newest version.